jai - easy containment for AI agents

Skip to content Main Navigation HomeDocsFAQManualAppearancejaiGo hard on agents, not on your filesystem.Use jai for effortless containment of AI agents on Linux.Get StartedSecurity ModelThis is not hypothetical. ​People are already reporting lost files, emptied working trees, and wiped home directories after giving AI tools ordinary machine access.15 years of family photos“It’s not in trash; it was done via terminal.”Nick Davidov on X ↗ Claude Code wiped a home directory“Complete loss of active development projects.”Anthropic GitHub issue #10077 ↗ Cursor emptied a working tree“Everything just gone.”Cursor Community Forum ↗ Antigravity wiped a whole drive“My whole D drive was unintentionally wiped.”Reddit post ↗ Cursor deleted 100GB“decided to delete 100GB from my computer.”Cursor Community Forum ↗ ←→There's a gap between giving an agent your real account and stopping everything to build a container or VM. jai fills that gap. One command, no images, no Dockerfiles — just a light-weight boundary for the workflows you're already running: quick coding help, one-off local tasks, running installer scripts you didn't write.Your files, your rulesUse AI agents without handing over your whole account. jai gives your working directory full access and keeps the rest of your home behind a copy-on-write overlay — or hidden entirely.Stop trusting blindlyOne-line installer scripts, AI-generated shell commands, unfamiliar CLIs — stop running them against your real home directory. Drop jai in front and the worst case gets a lot smaller.Containment shouldn't be hardNo images to build, no Dockerfiles to maintain, no 40-flag bwrap invocations. Just jai your-agent. If containment isn't easier than YOLO mode, nobody will bother.How it works ​One command. No setup required.1Prefix your commandjai codex, jai claude, or just jai for a shell.2CWD stays writableYour working directory keeps full read/write access inside the jail.3Home is an overlayChanges to your home directory are captured copy-on-write. Originals are untouched.4Rest is locked down/tmp and /var/tmp are private. All other files are read-only.Three modes ​Pick the level of isolation that fits your workflow.CasualStrictBareHome directoryCopy-on-write overlayEmpty private homeEmpty private homeProcess runs asYour userUnprivileged jai userYour userConfidentialityWeak — most files readableStrong — separate UIDMedium — your UID, but home hiddenIntegrityOverlay protects originalsFull isolationFull isolationNFS home supportYesNoYesLearn more about modes →Free software, not a funnel ​jai is free software, brought to you by the Stanford Secure Computer Systems research group and the Future of Digital Currency Initiative. The goal is to get people using AI more safely.Versus the alternatives ​jai is not trying to replace containers. It fills a different niche.DockerGreat for reproducible, image-based environments. Heavier to set up for ad-hoc sandboxing of host tools. No overlay-on-home workflow.bubblewrapPowerful namespace sandbox. Requires explicitly assembling the filesystem view — often turns into a long wrapper script, which is the friction jai removes.chrootNot a security mechanism. No mount isolation, no PID namespace, no credential separation. Linux documents it as not intended for sandboxing.Full comparison →jai is not a promise of perfect safety.jai is a casual sandbox — it reduces the blast radius, but does not eliminate all the ways AI agents can harm you or your system. Casual mode does not protect confidentiality. Even strict mode is not equivalent to a hardened container runtime or VM. When you need strong multi-tenant isolation or defense against a determined adversary, use a proper container or virtual machine. Read the full security model →Stanford SCS and FDCI

Jai offers a streamlined containment solution for AI agents on Linux, directly addressing the growing concerns surrounding unrestricted AI tool access and the potential for data loss or system compromise. The core problem highlighted is the increasing instances of AI tools, such as Claude Code, Cursor, and Antigravity, causing damage by directly manipulating user files and directories, often without explicit user intervention. These incidents, ranging from the deletion of personal photos to the wiping of entire drives, underscore the critical need for a simple, effective method of isolating AI agent activity.

The author, referencing accounts from individuals like Nick Davidov and Cursor community members, emphasizes the gap between granting AI tools access to a user’s account and the complex process of establishing a secure container or virtual machine. Jai bridges this gap by providing a lightweight, single-command solution that minimizes setup and operational overhead. The core functionality revolves around a mechanism that prefixes commands—such as “jai codex” or “jai claude”—to execute AI agent workflows. This prefix establishes a temporary “jail” or sandbox within the user’s existing working directory without requiring extensive configuration.

Jai operates through a copy-on-write overlay system for the user’s home directory. Any modifications made within the jail are reflected in this overlay, effectively isolating the agent’s actions from the original system files. Furthermore, Jai employs several security measures, including restricting access to common temporary directories like /var/tmp and /tmp, as well as implementing read-only protection for the majority of files, enhancing the level of confinement.

The document outlines three operational modes, catering to varying levels of security requirements: Casual, Strict, and Bare. The Casual mode offers a minimal level of protection, primarily focused on reducing the blast radius of potential agent actions. The Strict mode provides a stronger isolation by concealing the user's home directory and running the agent under a dedicated, unprivileged user account. The Bare mode eliminates the home directory overlay entirely, creating a private and isolated environment.

It’s crucial to recognize that Jai isn't intended as a replacement for traditional containerization technologies like Docker or Bubblewrap, which are designed for reproducible, image-based environments or more robust namespace sandboxing. Rather, Jai’s purpose is to offer a lightweight, user-friendly alternative for quick, ad-hoc sandboxing of host tools and to simplify the process of running AI agent commands. This approach prioritizes ease of use and accessibility, aiming to prevent users from falling into “YOLO mode” where they blindly execute commands without considering the potential risks.

The software is presented as free software, developed by the Stanford Secure Computer Systems research group and the Future of Digital Currency Initiative, with the overarching goal of promoting safer AI adoption. The document explicitly states that Jai does not guarantee perfect safety and frames its functionality as a “casual sandbox,” recognizing that it doesn’t eliminate all potential vulnerabilities. It emphasizes that for applications demanding robust multi-tenant isolation or defense against sophisticated adversaries, traditional container or virtual machine solutions remain the superior choice. The security model acknowledges that while Jai reduces the potential damage of AI agent activity, it's not a substitute for comprehensive security measures.